IETF Logo Mail Archive

Re: [jose] Whether implementations must understand all JOSE header fields

Mike Jones <Michael.Jones@microsoft.com> Thu, 20 December 2012 02:12 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61BF721F858C for <jose@ietfa.amsl.com>; Wed, 19 Dec 2012 18:12:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.749
X-Spam-Level:
X-Spam-Status: No, score=-2.749 tagged_above=-999 required=5 tests=[AWL=-0.151, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I-tHxSPHuMVX for <jose@ietfa.amsl.com>; Wed, 19 Dec 2012 18:12:42 -0800 (PST)
Received: from NA01-BY2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.31]) by ietfa.amsl.com (Postfix) with ESMTP id 99D7721F84DE for <jose@ietf.org>; Wed, 19 Dec 2012 18:12:42 -0800 (PST)
Received: from BY2FFO11FD007.protection.gbl (10.1.15.203) by BY2FFO11HUB032.protection.gbl (10.1.14.177) with Microsoft SMTP Server (TLS) id 15.0.586.12; Thu, 20 Dec 2012 02:12:40 +0000
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD007.mail.protection.outlook.com (10.1.14.128) with Microsoft SMTP Server (TLS) id 15.0.586.12 via Frontend Transport; Thu, 20 Dec 2012 02:12:40 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.50]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.02.0318.003; Thu, 20 Dec 2012 02:12:03 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] Whether implementations must understand all JOSE header fields
Thread-Index: Ac3da4u39ZRiYSLMQBShe+M/5UR54QAALdFQAAH0xRAAByH0sAAkEbRAAApz+pAAAl46sAAAXPvwAABfavA=
Date: Thu, 20 Dec 2012 02:12:02 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436697B301@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B168042967394366968592@TK5EX14MBXC283.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E115040898B5@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B16804296739436696ABC0@TK5EX14MBXC283.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E115041F5FFC@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B168042967394366977627@TK5EX14MBXC283.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E115042EDB0C@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B16804296739436697AEE2@TK5EX14MBXC283.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E115042EDB85@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E115042EDB85@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.73]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436697B301TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(51704002)(377454001)(44976002)(74662001)(15202345001)(74502001)(47446002)(49866001)(31966008)(16236675001)(50986001)(51856001)(47976001)(4396001)(56816002)(47736001)(53806001)(77982001)(76482001)(59766001)(55846006)(5343655001)(16406001)(46102001)(5343635001)(512874001)(33656001)(54356001)(56776001)(54316002); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB032; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 07013D7479
Subject: Re: [jose] Whether implementations must understand all JOSE header fields
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2012 02:12:43 -0000

Fair enough, but I am also very confident that every implementation trying to use a compressed payload where it was expecting an uncompressed one would quickly notice the difference and then do what it takes to get their implementation fixed/updated. ☺

                                                            -- Mike

From: Manger, James H [mailto:James.H.Manger@team.telstra.com]
Sent: Wednesday, December 19, 2012 6:08 PM
To: Mike Jones; jose@ietf.org
Subject: RE: [jose] Whether implementations must understand all JOSE header fields

> The prefix for “alg” values would have exactly the same property as adding a new header parameter. If the new alg value was not understood, the JWS would be useless to the receiver.

I am very confident that every (reasonable) JOSE implementation will notice the “alg” value, ie fail-safe on an unrecognized “alg” value.

> (Just as it would be useless if a new header value was used, if not understood.)  I’m not sure why the former is any more usable than the latter.

I have far far less confidence that every (reasonable) JOSE implementation will notice an unexpected field, particularly a known field in an unexpected context.

--
James Manger
                                                                Cheers,
                                                                -- Mike

From: Manger, James H [mailto:James.H.Manger@team.telstra.com]
Sent: Wednesday, December 19, 2012 5:39 PM
To: Mike Jones; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: [jose] Whether implementations must understand all JOSE header fields

> “zip” is a perfect example of indicating a change of semantics with the presence of a new field.  The processing of a JWE without a “zip” field is different than the processing of it with one.  An implementation must understand the field to use the resulting JWE.  The same would be true of any JWS that used a “zip” extension.
>
> It would never be safe to ignore this field, whether defined as part of the base spec, or defined as an extension later.

I agree.
When I looked at a handful of publicly available JOSE implementations quite a while ago none enforced the “MUST understand everything” rule — so a zip-for-JWS extension would be dangerous for them. One implementation later added code to enforce the rule using one fixed list of all header fields defined in JW* — so a zip-for-JWS extension would be dangerous for that too.

We know the “MUST understand everything” rule makes it hard to deploy non-critical extensions.
It seems to me that the rule also makes it dangerous to deploy critical extensions.
About the only safe way to define a critical extension will be to define a prefix for “alg” values (eg "alg": "zip;RSA1_5"). I hope that isn’t the most practical option we leave for anyone wanting to extend JOSE.

--
James Manger

v2.23.0 | Report a Bug | By Email